CVE-2026-8172

The CVE-2026-8172 entry concerns the WordPress plugin Simple Basic Contact Form (through 20250114). The issue is a Reflected Cross-Site Scripting vulnerability caused by not escaping user-supplied input before reflecting it in the contact form output on validation errors. Impact described: unauth...

IceWarp Mail Server <11.1.1 - Directory Traversal

IceWarp Mail Server versions prior to 11.1.1 suffer from a directory traversal vulnerability. id: CVE-2015-1503 info: name: IceWarp Mail Server 11.1.1 - Directory Traversal author: 0xAkoko severity: high description: IceWarp Mail Server versions prior to 11.1.1 suffer from a directory traversal...

WeiYe-Jing datax-web <= 2.1.2 - OS Command Injection

A vulnerability, which was classified as critical, has been found in WeiYe-Jing datax-web 2.1.2. Affected by this issue is some unknown functionality of the file /api/log/killJob of the component HTTP POST Request Handler. The manipulation of the argument processId leads to os command injection...

WP Hotel Booking <= 2.0.7 - SQL Injection

WP Hotel Booking WordPress plugin before 2.0.8 contains a SQL injection caused by lack of authorization, CSRF checks, and input escaping in a function hooked to admininit, letting unauthenticated users perform SQL injections, exploit requires no authentication. id: CVE-2023-5652 info: name: WP...

SquirrelMail Address Add 1.4.2 - Cross-Site Scripting

SquirrelMail Address Add 1.4.2 plugin contains a cross-site scripting vulnerability. It fails to properly sanitize user-supplied input, thus allowing an attacker to execute arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to...

PHPGurukul Hospital Management System 4.0 - SQL Injection

PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\user-login.php. Remote unauthenticated users can exploit the vulnerability to obtain sensitive database information. id: CVE-2020-22165 info: name: PHPGurukul Hospital Management System 4.0 - SQL Injection...

AeroCMS 0.1.1 - SQL Injection

AeroCMS 0.1.1 contains a SQL injection caused by unsanitized author parameter, letting attackers execute arbitrary SQL commands, exploit requires crafted author input. id: CVE-2022-38812 info: name: AeroCMS 0.1.1 - SQL Injection author: shivampand3y severity: medium description: | AeroCMS 0.1.1...

Cobbler 'XML-RPC' - Authentication Bypass

Cobbler, a Linux installation server that allows for rapid setup of network installation environments, has an improper authentication vulnerability starting in version 3.0.0 and prior to versions 3.2.3 and 3.3.7. utils.getsharedsecret always returns -1, which allows anyone to connect to cobbler...

PrestaShop 1.7.7.0 - SQL Injection

PrestaShop 1.7.7.0 contains a SQL injection vulnerability via the store system. It allows time-based boolean SQL injection via the module=productcomments controller=CommentGrade idproducts parameter. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized...

ZZZCMS 1.6.1 - Remote Code Execution

ZZZCMS zzzphp V1.6.1 is vulnerable to remote code execution via the inc/zzztemplate.php file because the parserIfLabel function's filtering is not strict, resulting in PHP code execution as demonstrated by the if:assert substring. id: CVE-2019-9041 info: name: ZZZCMS 1.6.1 - Remote Code Execution...

Eclipse Jetty ConcatServlet - Information Disclosure

Eclipse Jetty through 9.4.40, through 10.0.2, and through 11.0.2 is susceptible to information disclosure. Requests to the ConcatServlet with a doubly encoded path can access protected resources within the WEB-INF directory, thus enabling an attacker to potentially obtain sensitive information,...

Microstrategy Web 7 - Cross-Site Scripting

Microstrategy Web 7 does not sufficiently encode user-controlled inputs, resulting in cross-site scripting via the Login.asp Msg parameter. id: CVE-2018-18775 info: name: Microstrategy Web 7 - Cross-Site Scripting author: 0xAkoko severity: medium description: Microstrategy Web 7 does not...

Rubedo CMS <=3.4.0 - Directory Traversal

Rubedo CMS through 3.4.0 contains a directory traversal vulnerability in the theme component, allowing unauthenticated attackers to read and execute arbitrary files outside of the service root path, as demonstrated by a /theme/default/img/%2e%2e/..//etc/passwd URI. id: CVE-2018-16836 info: name:...

Oracle Business Intelligence Publisher - XML External Entity Injection

Oracle Business Intelligence Publisher is vulnerable to an XML external entity injection attack. The supported versions affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. This easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise BI Publishe...

Zyxel ZyWALL 2 Plus Internet Security Appliance - Cross-Site Scripting

ZyXEL ZyWALL 2 Plus Internet Security Appliance contains a cross-site scripting vulnerability. Insecure URI handling leads to bypass of security restrictions, which allows an attacker to execute arbitrary JavaScript codes to perform multiple attacks. id: CVE-2021-46387 info: name: Zyxel ZyWALL 2...

openSIS Student Information System 8.0 SQL Injection

openSIS Student Information System version 8.0 is susceptible to SQL injection via the studentid and TRANSFERSCHOOL parameters in POST request sent to /TransferredOutModal.php. id: CVE-2021-41691 info: name: openSIS Student Information System 8.0 SQL Injection author: Bartu Utku SARP severity: hi...

Casdoor 1.13.0 - Unauthenticated SQL Injection

Casdoor version 1.13.0 suffers from a remote unauthenticated SQL injection vulnerability via the query API in Casdoor before 1.13.1 related to the field and value parameters, as demonstrated by api/get-organizations. id: CVE-2022-24124 info: name: Casdoor 1.13.0 - Unauthenticated SQL Injection...

OpenDreambox 2.0.0 - Remote Code Execution

OpenDreambox 2.0.0 is susceptible to remote code execution via the webadmin plugin. Remote attackers can execute arbitrary OS commands via shell metacharacters in the command parameter to the /script URI in enigma2-plugins/blob/master/webadmin/src/WebChilds/Script.py. id: CVE-2017-14135 info: nam...

ADB/Pirelli ADSL2/2+ Wireless Router P.DGA4001N - Information Disclosure

ADB formerly Pirelli Broadband Solutions P.DGA4001N router with firmware PDGTEFSP4.06L.6 does not properly restrict access to the web interface, which allows remote attackers to obtain sensitive information or cause a denial of service device restart as demonstrated by a direct request to 1...

Wavemaker Studio 6.6 - Local File Inclusion/Server-Side Request Forgery

WaveMaker Studio 6.6 mishandles the studioService.download?method=getContent&inUrl= value in com/wavemaker/studio/StudioService.java, leading to disclosure of local files and server-side request forgery. id: CVE-2019-8982 info: name: Wavemaker Studio 6.6 - Local File Inclusion/Server-Side Request...